Re: [Samba] username map with “security = ads”

On Thu, 2 May 2019 11:59:45 +0200
Philipp Gesang via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Hey guys,
>
> on a machine with the role “member server”, joining AD requires
> setting “security = ads”.
This would make your computer a Unix domain member of an active
directory domain
> Access to shares using local users set up through smbpasswd requires
> “security = user”.
You cannot have 'local' users in an AD domain, they are are either
domain users or they are unknown to the domain.
> As I understand the man page, these are mutually exclusive.
Yes.
> Now our use case requires for the machine to be joined but also grant
> access to shares to local users.
Not going to happen, because your local users will be unknown to the
domain.
> Share access for domain users is not desirable as clients are mostly
> automated remote services that needn’t be AD aware.
Might not be desirable, but you might have to do it.
>
> I guess handing net a different smb.conf to perform the join is
> the obvious quick'n'dirty fix.
I cannot see how this would work, yes you could use a very small
smb.conf to join the domain and then expand on it, but you would still
have local users that would not be known to the domain.
> I’m wondering though if there is a parameter that would make this
> unnecessary.
No, there is nothing you can do that would allow what you want to do.
Have you considered setting Samba up a standalone server ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba